Industrial field devices, such as, for example, control devices for railroad and track installations, for controlling traffic lights or variable traffic signs, or for monitoring pipelines, are mostly to be found in areas that are accessible to the public or that are difficult for the operator to monitor, which means that technically it cannot be ruled out that unauthorized third parties can gain access to a field device and perpetrate manipulation attempts thereon. In this context the term “tampering” is also used to describe unauthorized interventions and manipulations.
Because field devices possess integrated security functionality, by means of which for example external communication with control centers or computer centers is safeguarded by cryptographic mechanisms, it is necessary to provide corresponding security-relevant data that is required by the field device in order to function correctly with adequate protection against tampering.
Suitable candidates for storing security-relevant data such as cryptographic communication keys for example are basically security chips specifically provided for this function, for example security ICs, which not only store the key data securely but also perform essential chip-internal cryptographic calculations with the key data. Here, the security chip itself is in most cases tamper-protected, which is to say embedded in a suitable manipulation-protected environment.
However, security chips of said type cannot be provided with external tamper or manipulation sensors by means of which manipulation attempts outside the manipulation-protected environment in which the chip itself is embedded can be registered. It is nonetheless desirable, even in the case of such manipulation attempts, to be able to guarantee the confidentiality of the security-relevant data on the security chip.
In the prior art the arithmetic logic unit or controller of the field device has hitherto been responsible for initiating security measures in the event of a manipulation attempt on the field device. For that purpose the controller must be in an active operating mode. Often, however, the controller has been switched to an inactive state or even is not operational or not supplied with sufficient electric power when a manipulation occurs.
There is therefore a need for solutions with the aid of which suitable security measures for safeguarding the confidentiality of security-relevant data in a security chip of a field device can be reliably, efficiently and quickly initiated when attempts are made to manipulate the field device.